From: Raphael Moreira Zinsly <rzinsly@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Subject: [PATCH 2.22 03/14] glob: Add new test tst-glob-tilde
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <1522269821-15007-3-git-send-email-rzinsly@linux.vnet.ibm.com> (raw)
In-Reply-To: <1522269821-15007-1-git-send-email-rzinsly@linux.vnet.ibm.com>
From: Florian Weimer <fweimer@redhat.com>
The new test checks for memory leaks (see bug 22325) and attempts
to trigger the buffer overflow in bug 22320.
(cherry picked from commit e80fc1fc98bf614eb01cf8325503df3a1451a99c)
---
ChangeLog | 8 +++
posix/Makefile | 12 ++++-
posix/tst-glob-tilde.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 154 insertions(+), 2 deletions(-)
create mode 100644 posix/tst-glob-tilde.c
diff --git a/ChangeLog b/ChangeLog
index 4c96691..0e07eb2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-10-21 Florian Weimer <fweimer@redhat.com>
+
+ * posix/Makefile (tests): Add tst-glob-tilde.
+ (tests-special): Add tst-glob-tilde-mem.out
+ (tst-glob-tilde-ENV): Set MALLOC_TRACE.
+ (tst-glob-tilde-mem.out): Add mtrace check.
+ * posix/tst-glob-tilde.c: New file.
+
2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
[BZ #22320]
diff --git a/posix/Makefile b/posix/Makefile
index 15e8818..ec7c24e 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -87,7 +87,8 @@ tests := tstgetopt testfnm runtests runptests \
bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
tst-pathconf tst-getaddrinfo4 tst-rxspencer-no-utf8 \
- tst-fnmatch3 bug-regex36 tst-getaddrinfo5
+ tst-fnmatch3 bug-regex36 tst-getaddrinfo5 \
+ tst-glob-tilde
xtests := bug-ga2
ifeq (yes,$(build-shared))
test-srcs := globtest
@@ -130,7 +131,8 @@ tests-special += $(objpfx)bug-regex2-mem.out $(objpfx)bug-regex14-mem.out \
$(objpfx)tst-rxspencer-no-utf8-mem.out $(objpfx)tst-pcre-mem.out \
$(objpfx)tst-boost-mem.out $(objpfx)tst-getconf.out \
$(objpfx)bug-glob2-mem.out $(objpfx)tst-vfork3-mem.out \
- $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out
+ $(objpfx)tst-fnmatch-mem.out $(objpfx)bug-regex36-mem.out \
+ $(objpfx)tst-glob-tilde-mem.out
xtests-special += $(objpfx)bug-ga2-mem.out
endif
@@ -307,6 +309,12 @@ $(objpfx)bug-glob2-mem.out: $(objpfx)bug-glob2.out
$(common-objpfx)malloc/mtrace $(objpfx)bug-glob2.mtrace > $@; \
$(evaluate-test)
+tst-glob-tilde-ENV = MALLOC_TRACE=$(objpfx)tst-glob-tilde.mtrace
+
+$(objpfx)tst-glob-tilde-mem.out: $(objpfx)tst-glob-tilde.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-glob-tilde.mtrace > $@; \
+ $(evaluate-test)
+
$(inst_libexecdir)/getconf: $(inst_bindir)/getconf \
$(objpfx)getconf.speclist FORCE
$(addprefix $(..)./scripts/mkinstalldirs ,\
diff --git a/posix/tst-glob-tilde.c b/posix/tst-glob-tilde.c
new file mode 100644
index 0000000..9518b4a
--- /dev/null
+++ b/posix/tst-glob-tilde.c
@@ -0,0 +1,136 @@
+/* Check for GLOB_TIDLE heap allocation issues (bug 22320, bug 22325).
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <glob.h>
+#include <mcheck.h>
+#include <nss.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/support.h>
+
+/* Flag which indicates whether to pass the GLOB_ONLYDIR flag. */
+static int do_onlydir;
+
+/* Flag which indicates whether to pass the GLOB_NOCHECK flag. */
+static int do_nocheck;
+
+/* Flag which indicates whether to pass the GLOB_MARK flag. */
+static int do_mark;
+
+static void
+one_test (const char *prefix, const char *middle, const char *suffix)
+{
+ char *pattern = xasprintf ("%s%s%s", prefix, middle, suffix);
+ int flags = GLOB_TILDE;
+ if (do_onlydir)
+ flags |= GLOB_ONLYDIR;
+ if (do_nocheck)
+ flags |= GLOB_NOCHECK;
+ if (do_mark)
+ flags |= GLOB_MARK;
+ glob_t gl;
+ /* This glob call might result in crashes or memory leaks. */
+ if (glob (pattern, flags, NULL, &gl) == 0)
+ globfree (&gl);
+ free (pattern);
+}
+
+enum
+ {
+ /* The largest base being tested. */
+ largest_base_size = 500000,
+
+ /* The actual size is the base size plus a variable whose absolute
+ value is not greater than this. This helps malloc to trigger
+ overflows. */
+ max_size_skew = 16,
+
+ /* The maximum string length supported by repeating_string
+ below. */
+ repeat_size = largest_base_size + max_size_skew,
+ };
+
+/* Used to construct strings which repeat a single character 'x'. */
+static char *repeat;
+
+/* Return a string of SIZE characters. */
+const char *
+repeating_string (int size)
+{
+ TEST_VERIFY (size >= 0);
+ TEST_VERIFY (size <= repeat_size);
+ const char *repeated_shifted = repeat + repeat_size - size;
+ TEST_VERIFY (strlen (repeated_shifted) == size);
+ return repeated_shifted;
+}
+
+static int
+do_test (void)
+{
+ /* Avoid network-based NSS modules and initialize nss_files with a
+ dummy lookup. This has to come before mtrace because NSS does
+ not free all memory. */
+ __nss_configure_lookup ("passwd", "files");
+ (void) getpwnam ("root");
+
+ mtrace ();
+
+ repeat = xmalloc (repeat_size + 1);
+ memset (repeat, 'x', repeat_size);
+ repeat[repeat_size] = '\0';
+
+ /* These numbers control the size of the user name. The values
+ cover the minimum (0), a typical size (8), a large
+ stack-allocated size (100000), and a somewhat large
+ heap-allocated size (largest_base_size). */
+ static const int base_sizes[] = { 0, 8, 100, 100000, largest_base_size, -1 };
+
+ for (do_onlydir = 0; do_onlydir < 2; ++do_onlydir)
+ for (do_nocheck = 0; do_nocheck < 2; ++do_nocheck)
+ for (do_mark = 0; do_mark < 2; ++do_mark)
+ for (int base_idx = 0; base_sizes[base_idx] >= 0; ++base_idx)
+ {
+ for (int size_skew = -max_size_skew; size_skew <= max_size_skew;
+ ++size_skew)
+ {
+ int size = base_sizes[base_idx] + size_skew;
+ if (size < 0)
+ continue;
+
+ const char *user_name = repeating_string (size);
+ one_test ("~", user_name, "/a/b");
+ }
+
+ const char *user_name = repeating_string (base_sizes[base_idx]);
+ one_test ("~", user_name, "");
+ one_test ("~", user_name, "/");
+ one_test ("~", user_name, "/a");
+ one_test ("~", user_name, "/*/*");
+ one_test ("~", user_name, "\\/");
+ one_test ("/~", user_name, "");
+ one_test ("*/~", user_name, "/a/b");
+ }
+
+ free (repeat);
+
+ return 0;
+}
+
+#include <support/test-driver.c>
--
1.8.3.1
next prev parent reply other threads:[~2018-03-28 20:43 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 [PATCH 2.22 01/14] ldd: never run file directly Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 14/14] Record CVE-2018-6551 in NEWS and ChangeLog [BZ #22774] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 01/14] ldd: never run file directly Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 09/14] elf: Compute correct array size in _dl_init_paths [BZ #22606] Raphael Moreira Zinsly
2018-01-01 0:00 ` Raphael Moreira Zinsly [this message]
2018-01-01 0:00 ` [PATCH 2.22 03/14] glob: Add new test tst-glob-tilde Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] Synchronize support/ infrastructure with master Raphael Moreira Zinsly
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22] posix: Sync glob with gnulib [BZ #1062] Raphael Moreira Zinsly
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 05/14] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 10/14] Fix integer overflows in internal memalign and malloc functions [BZ #22343] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 v2] " Raphael Moreira Zinsly
2018-01-01 0:00 ` Carlos O'Donell
[not found] ` <20180405194944.GA44061@aloka.lostca.se>
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Tulio Magno Quites Machado Filho
2018-01-01 0:00 ` [PATCH 2.22 08/14] <array_length.h>: New array_length and array_end macros Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 06/14] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 11/14] linux: make getcwd(3) fail if it cannot obtain an absolute path [BZ #22679] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 04/14] sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 02/14] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 12/14] Add ChangeLog reference to bug 16750/CVE-2009-5064 Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 07/14] elf: Count components of the expanded path in _dl_init_path [BZ #22607] Raphael Moreira Zinsly
2018-01-01 0:00 ` [PATCH 2.22 13/14] Record CVE-2018-6485 in ChangeLog and NEWS [BZ #22343] Raphael Moreira Zinsly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1522269821-15007-3-git-send-email-rzinsly@linux.vnet.ibm.com \
--to=rzinsly@linux.vnet.ibm.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).